System and method for connecting a communication to a client

ABSTRACT

A method and system for connecting a communication to a client including at a system bridge, establishing a client subscription connection with a client device; receiving an incoming communication request at the system bridge; publishing an incoming communication notification from the system bridge to the client device; receiving a client communication at the system bridge; and merging the incoming communication request into the client communication at the system bridge.

CLAIM OF PRIORITY

The present application is a continuation of U.S. patent application Ser. No. 16/113,919, filed 27 Aug. 2018, which is a continuation of U.S. patent application Ser. No. 15/184,621, filed 16 Jun. 2016, which is a divisional of U.S. patent application Ser. No. 13/478,495, filed 23 May 2012, which claims priority to: U.S. Provisional Patent Application Ser. No. 61/489,189 entitled “System and Method for Connecting a Call to a Client” and filed on 23 May 2011; and U.S. Provisional Patent Application Ser. No. 61/500,549 entitled “System and Method for Connecting a Call to a Client” and filed on 23 Jun. 2011, the entirety of both of which is incorporated by this reference.

TECHNICAL FIELD

This invention relates generally to the telephony field, and more specifically to a new and useful system and method for connecting a call to a client in the telephony field.

BACKGROUND

In recent years, telephony applications and Voice over Internet Protocol (VoIP) have found applications in numerous settings. Such technology has enabled clients to establish communication to outside devices such as phones or applications. However, the nature of most network configurations prevents easy incoming messages. Clients behind network address translation (NAT) routers have long been hindered by a lack of end-to-end connectivity that makes incoming communications challenging. Varying network, router, and firewall configurations can complicate this issue. These structural inadequacies seriously limit the scope and applicability of Internet-based telephony. Thus, there is a need in the telephony field to create a new and useful system and method for connecting a call to a client. This invention provides such a new and useful system and method.

BRIEF DESCRIPTION OF THE FIGURES

FIG. 1 is a flowchart depicting a first method for connecting a communication to a client in accordance with a preferred embodiment;

FIG. 2 is schematic representations of preferred method for connecting a communication to a client in accordance with a preferred embodiment;

FIG. 3 is a flowchart depicting a variation of the first preferred method for connecting a communication to a client;

FIG. 4 is a flowchart depicting another variation of the first preferred method for connecting a communication to a client;

FIG. 5 is a flowchart depicting another variation of the first preferred method for connecting a communication to a client;

FIG. 6 is schematic representations of preferred methods for connecting a communication to a client in accordance with a preferred embodiment;

FIG. 7 is a flowchart depicting another variation of the first preferred method for connecting a communication to a client;

FIG. 8 is a flowchart depicting another variation of the first preferred method for connecting a communication to a client;

FIG. 9 is a flowchart depicting a second method for connecting a communication to a client in accordance with a preferred embodiment;

FIG. 10 is a schematic representation depicting a variation of the second preferred method for connecting a communication a communication to a client;

FIG. 11 is a schematic representation depicting another variation of the second preferred method for connecting a communication a communication to a client;

FIG. 12 is a is a flowchart depicting a variation of the second preferred method for connecting a communication to a client;

FIG. 13 is a is a flowchart depicting another variation of the second preferred method for connecting a communication to a client;

FIG. 14 is a schematic block diagram of a system for connecting a communication to a client in accordance with a preferred embodiment; and

FIG. 15 is a schematic block diagram of another system for connecting a communication to a client in accordance with a preferred embodiment.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

The following description of the preferred embodiments of the invention is not intended to limit the invention to these preferred embodiments, but rather to enable any person skilled in the art to make and use this invention.

Methods

As shown in FIGS. 1 and 2, a first preferred method for connecting a communication to a client of a preferred embodiment can include: at a system bridge, establishing a client subscription connection with a client device in block S100; receiving an incoming communication request at the system bridge in block S102; publishing an incoming communication notification from the system bridge to the client device in block S104; receiving a client communication at the system bridge in block S106; and merging the incoming communication request into the client communication at the system bridge in block S108. The first method preferably functions to connect incoming communications to a client utilizing a subscription connection that prompts a client to call out. The first method preferably creates a substantially persistent channel of communication such that a client can actively establish a connection when an incoming message arrives, which in turn preferably enables web services, mobile devices, and platforms that want to implement features for incoming communications to circumvent incoming communication issues caused by firewalls and routers. In one alternative implementation of the first preferred method, client communication is preferably initiated by a client as opposed to a client directly responding to a received incoming call.

Preferably, the first preferred method can employ authentication and/or authorization security measures that function to secure the communication channels. An authentication layer preferably prevents malicious parties from posing as a client and/or incoming call. In one embodiment, an application (web or native) may facilitate the use of a token to authenticate a client connecting to an incoming call. The first preferred method is preferably used within internet-telephony platform, but may alternatively be used for any suitable applications such as Internet messaging or real-time applications that may need to establish an incoming communication channel. The method can be configured and/or adapted to function for any suitable type of communication, including telephony-based voice calls, Internet based voice calls, video calls, video streams, video sessions, screen sharing, screen sharing streams, screen sharing sessions, SMS messaging, IP messaging, alternative messaging, or any suitable form of communication. The term call should be understood to include any suitable application, and any suitable form of incoming communication to a client may be received and merged with the client through this method, such as video, screen sharing, chat, or text messaging.

As shown in FIG. 1, the preferred method can include block S100, which recites at the system bridge, establishing a client subscription connection with a client device. Block S100 preferably functions to create a substantially persistent connection between the client and the system bridge. The client subscription connection is preferably a publication/subscription Internet communication channel that can be used to push incoming call notifications to the client. The subscription channel can include one or more websockets, an HTTP server push, an Adobe flash socket, ajax long polling, ajax multipart streaming, a forever iframe, jsonp polling, Comet, XMPP, BOSH, or any suitable communication technology to facilitate a client subscription. The subscription connection is preferably persistently maintained. The client preferably establishes a client subscription connection by initially registering a subscription channel and then subscribing to that channel. The channel is preferably subscribed to using a method substantially similar to method for connecting a client to an application described below where the use of a token is used. Alternatively, any suitable technique to subscribe may be used. Once registered, the system bridge will preferably publish a notification to that subscription. The subscription connection is preferably established between a client and a system bridge through a pubsub system, but any suitable subscription connection may be used. A client identifier is preferably created which may be used for the subscription channel but additionally as a handle or mapping for addressing incoming calls. The client identifier is preferably specified by the client, but may alternatively be an automatically assigned client identifier. The client identifier preferably includes a client ID, which may be signed with a shared secret. The client identifier may include various scopes that may take form as subdirectories or hierarchical layers of contexts. For example, one name space of “foo” may have a subdirectory of “foo/mobile” and a second subdirectory of “foo/web”. In this example, “foo/mobile” may be registered for a mobile device client and “foo/web” may be registered for a desktop browser session. Incoming calls can preferably address these devices individually by using “foo/mobile” or “foo/web”. Additionally, an incoming call may be simultaneously directed at both clients by using “foo/*”. Additional attributes can be assigned to the name-spaced endpoint or to different scopes of the name-spaced endpoint. Additionally the client identifiers may be used to broadcast to multiple clients. Clients can preferably subscribe to client identifiers. For example a plurality of clients may subscribe to “foo” and each receive a request sent to “foo”.

Block S102, which recites receiving an incoming communication request at the system bridge, functions to accept a communication from an outside entity directed to a client. The incoming call may have any suitable source. A cloud-based communication router preferably initially receives/initiates the incoming communication. The cloud-based communication router is preferably a call router call router of a telephony platform such as one substantially similar to the one described in published U.S. Patent Application No. 2009/0252159, titled “SYSTEM AND METHOD FOR PROCESSING TELEPHONY SESSIONS”, which is hereby incorporated in its entirety by this reference, but the cloud-based communication router may alternatively be any suitable communication router. Alternatively, the system bridge may be integrated into the cloud-based router or call router architecture or alternatively into any suitable communication framework. The incoming call preferably specifies an identifier, and more preferably, the incoming call specifies a name-spaced client identifier. The identifier preferably corresponds to a client or more preferably a subscription channel. In one variation, the client may vary depending on what user devices are active, and thus the identifier is preferably not specific to a particular client device (e.g., addressing to “foo/*”). The identifier is preferably unique to a user, account, session, or any suitable entity. Preferably using the identifier, a subscription is identified and an incoming communication notification is generated for publishing in block S104. While the client is notified and calls out, the system bridge preferably puts the incoming communication into a holding-state. The holding state is preferably a temporary state where the incoming communication is received by the system bridge but the client (e.g., the callee) has not initiated an outgoing communication to connect to the caller. When the system bridge is ready to merge the incoming communication to a client, the incoming communication is pulled from the holding-state.

Block S104, which recites publishing an incoming communication notification from the system bridge to the client device, functions to push a message to the client through the subscription channel. The client subscription channel preferably facilitates simple notification because the connection is substantially persistent and the outside entity is not required to independently establish the connection. There may additionally be a plurality of clients subscribed to the subscription channel, and the incoming communication notification may be published a plurality of clients. The incoming communication notification is preferably sufficient to initiate a client communication sent to the system bridge by the client. Alternatively, the communication notification may include additional parameters such as keys to authenticate the message is from the system bridge, call URI's to direct a call out, caller metadata, and/or any suitable parameter. The system bridge may additionally pass opaque data (from the perspective of the client) to the client. This data is preferably passed along when the client connects back in. In one variation, block S104 may include pushing a communication token from the system bridge to the client S110 as shown in FIG. 3. The passed communication token may be used to later identify which incoming communication to connect with the client communication. The communication token preferably includes a communication ID and a host (identifier for the instance) that allows the incoming communication to be uniquely identified across multiple bridge nodes. Block S110 preferably includes encrypting the communication token with a key unique to the system bridge in block S112 and as shown in FIG. 4. The variation preferably includes receiving the encrypted communication token at the system bridge from the client and decrypting the encrypted communication token at the system bridge in Block S114 as shown in FIG. 5. The passing of a communication token functions to remove the need for an external state, unnecessary because the state is preferably contained in the system bridge token. As described below, the communication token is preferably passed back to the system bridge from the client, and the communication token is then decrypted with the bridge system secret and the call (or connection) bridged as shown in FIG. 15. When there is a plurality of system bridges used in a scale infrastructure, the token preferably indicates which system bridge to pass the client communication message. If the subscription channel is encrypted and authorized, then the token may additionally function to provide security for incoming connections.

Block S106, which recites receiving a client communication at the system bridge, functions to have the client call out to the system bridge to be merged with the incoming communication. The client, upon receiving the communication notification from block S104, preferably initiates forming connections to the system bridge. The client may be any suitable device with a network connection to the system bridge. The client device may be running a native application or alternatively a web application. The call out message is preferably communicated through HTTP or HTTPS but any suitable transport layer may alternatively be used. Any additional parameters from the client are preferably included in a message to the system bridge as appropriate, such as an application identifier or application data. The application identifier is preferably a name-spaced endpoint. A name spaced endpoint is preferably a context that embodies various aspects for the endpoint (e.g., a client). Name-spaced endpoints preferably include a plurality of parameters including associated phone numbers, application URI's, status callback URI's (e.g., backup URI's if communication with a client application fails), or any suitable parameter. A name-spaced endpoint may be globally or locally unique for a given user. For example, a name-spaced endpoint may be unique for all communication occurring over a platform or protocol. The name-spaced endpoint may alternatively, be unique for an instance of an application. Allowed users, pricing models, account-application settings, and/or any suitable aspects can be stored as part of the name-spaced endpoint. For example, only particular users may be allowed to call in or use a particular scope of a name-spaced endpoint while a second scope may be publicly accessible.

Additionally or alternatively, security measures are taken to authenticate the message from the client to the system bridge as shown in FIG. 6. Block S108 preferably includes authenticating the client communication at a policy engine S116 as shown in FIG. 7. The policy engine preferably authenticates a client communication from the client prior to merging the incoming communication. The policy engine preferably authenticated the client by using a token associated with the client and analyzing a signed client communication from the client. If the client communication satisfies the authentication, a preferred embodiment preferably includes merging the incoming communication request into the client communication at the system bridge in response to client authentication at the policy engine S118 as shown in FIG. 8. If the client communication fails to satisfy the authentication, an error may be logged and any suitable error response may be taken. Preferably, the token is sent from the client. In one variation, the client has an embedded token from when an application was instantiated. In another variation, a communication can be made to an authentication application to retrieve a token. Alternatively, a client identifier is sent to a policy engine that has an authentication application authenticate the credentials of the client identifier. Similarly a SIP backend authentication may alternatively be used. The authentication may occur for registration and/or outbound communications. The token preferably includes an application ID and any additional parameters. The contents of a token are preferably signed with a secret key. A policy engine preferably completes authentication of the token before allowing a connection to the system bridge. A policy engine preferably mediates the call out requests and authenticates any tokens, and may additionally verify permissions associated with application identifiers. Any suitable alternative forms of authentication may alternatively or additionally be integrated into the method.

Block S108, which recites merging the incoming communication request into the client communication at the system bridge, functions to connect the incoming communication request to the client. Once the client sends a client communication to the system bridge, the system bridge preferably identifies the corresponding incoming communication and establishes the communication channel between the client and the outside entity of the incoming communication. The incoming communication is preferably moved out of the holding-state and added to an active channel of communication with the intended client. Upon establishing the connection, the client and the outside entity can preferably continue to use the established connection for communication. For example, a VoIP call made to the system bridge may be connected to a client device, and then a VoIP session can preferably continue to use the channel established by the preferred method. The connection may be any suitable form of connection including a number of channels that may include audio, video, messaging, screen sharing, or any suitable channel for communication.

As shown in FIG. 9, a second preferred method for connecting a client to an application of a preferred embodiment includes receiving a connection request at a policy engine from a client, the connection request including an authentication token retrieved by the client in block S200; receiving an authentication token at the policy engine S202; authenticating the client at the policy engine by verifying the authentication token in block S204; and permitting the client to connect to an application in response to verification of the authentication token in block S206. The method functions to enable a possibly untrusted client to securely access application services and resources. A client preferably describes a web browser, application session, or any suitable outside entity. The method is preferably implemented for use with a telephony platform but may alternatively be used for any suitable communication platform. The method may be used to implement browser based telephony application such as click to call features, voice sessions, video calls, video streams, screen sharing, sending of SMS messages, alternative messaging, or any suitable application. In an exemplary application, the client is enabled to initiate and interact with a telephony application by obtaining a token to authenticate access to the application. Additionally, the method of connecting a client to an application may be applied in cooperation with the method above for a client receiving incoming communications.

Block S200, which recites receiving a connection request at a policy engine from a client, functions to receive communication from a client wishing to use an application. As described below, an authentication token is preferably directly or indirectly communicated to the policy engine. The policy engine then can preferably allow or deny access to an application by a client based on the verification of the authentication token. The connection request may be accompanied by the token as shown in FIG. 10 or the connection request may come prior to obtaining a token as shown in FIG. 11.

Block S202, which recites receiving an authentication token at the policy engine, functions to obtain an authentication token on behalf of a client. The authentication token is preferably a data package that includes application ID and/or additionally parameters. The authentication token is preferably signed. The authentication token is more preferably signed with a secret key shared by the policy engine and an accessing entity (e.g., a web application for use of the telephony application). The application ID and/or the authentication token may be sent to client, which may then use the authentication token to connect to a web application. In another variation, the client may provide an identifier that enables a policy engine to validate with an authentication application. In the first variation, as shown in FIG. 10, a web application preferably sends an authentication token to the client. The client then communicates the authentication token directly when sending a connection request. The authentication token may be embedded in the webpage or application when instantiated. Alternatively, a client may dynamically request the authentication token such as by using AJAX upon a user-triggered event. In a second variation, as shown in FIG. 11, the client may send an identifier when sending a connection request for indirectly obtaining a token for a client. In this variation, block S202 preferably includes sending a client identifier contained in the connection request from the client to an authentication application S208 and receiving the authentication token at the policy engine from the authentication application S210 as shown in FIG. 12. A policy engine preferably connects with an authentication application. The authentication application can preferably use the identifier to authenticate or deny access by the client. The authentication application then sends a response to the policy engine preferably includes an authentication token. The authentication token received at the policy engine from the authentication application preferably enables the client to be indirectly authorized to form a connection. The authentication application is preferably a server run by the web application entity, but may alternatively be a third party authentication application. The identifier may include an account name, code, or any suitable parameters that the authentication application requires to complete authentication.

Block S204, which recites authenticating the client at the policy engine by verifying the authentication token, functions to determine if a client should be allowed or denied access to an application. In the first variation where a token is received from the client, a shared secret between the application and the policy engine may be used to authenticate the token. In the second variation, the authentication application may send the authentication token, which may be authorized in a similar manner, or the authentication application may communicate to the policy engine if the client is allowed or denied.

Block S206, which includes permitting the client to connect to an application in response to verification of the authentication token, functions to allow the client to connect to the application or to deny the client access to the application. The connection request from the client is preferably forwarded on to the application if the verification of the authentication token allows access. If the connection request is denied, a communication may be sent back to the client or any suitable response may be made. The connection in one application is preferably establishing a voice session, video session, click to call feature, starting an outbound call, a video stream, a screen sharing session, SMS/MMS messaging, IP messaging session, and/or any suitable communication application as in block S212 shown in FIG. 13. In one exemplary application, a call router of a telephony platform preferably facilitates execution of the application.

Systems

As shown in FIG. 14, a system for connecting a call to a client of a preferred embodiment preferably includes a system bridge 210, a pub/sub system 220, and optionally a policy engine 230. The system preferably functions to facilitate connecting an outside entity to a client 260. The system preferably implements the above method. The system bridge 210 preferably includes an incoming channel to receive incoming calls or video such as from a PSTN device, another client device, or any suitable source. In one embodiment, the system bridge 210 includes a communication link to a call router 250 of a telephony platform. In another embodiment, the system bridge 210 is integrated into a call router 250. In another implementation, a SIP endpoint is used in place of a call router. As shown in FIG. 15, the system bridge 210 may be a cloud environment or system bridge cluster composed of a plurality of system bridges (210 a, 210 b, 210 n). The system bridge 210 preferably additionally includes internet channels to be accessed by a client 260. The system bridge 210 preferably connects to the pub/sub system 220, and the pub/sub system 220 preferably maintains persistent connections to clients. The pub/sub system 220 may use any suitable technology such as websockets, HTTP server push, adobe flash sockets, AJAX long polling, AJAX multipart streaming, forever iframes, jsonp polling, Comet, XMPP, BOSH, or any suitable communication technology to facilitate subscription and publication channels. Any suitable system may be used in place of the pub/sub system such as a queuing system. The client 260 preferably includes native or web application code that cooperates with the system to establish a subscription through the pub/sub system 220 to the system bridge 210 and to send a client communication that is received by the system bridge 210. The client preferably uses HTTP or HTTPS or any suitable communication protocol. Additionally, a policy engine 230 may be an intermediary system for the communication channel between clients and the system bridge 210. The policy engine 230 preferably authenticates signed messages using web tokens, but may alternatively be configured for any suitable form of authentication. An authentication application server 240 preferably facilitates the distribution and/or processing of authentication tokens.

The system preferably implements the above methods in a computer-readable medium storing computer-readable instructions. The instructions are preferably executed by computer-executable components preferably integrated with the system bridge 210, the pub/sub system 220, and the optional policy engine 230. The computer-readable medium may be stored on any suitable computer readable media such as RAMs, ROMs, flash memory, EEPROMs, optical devices (CD or DVD), hard drives, floppy drives, or any suitable device. The computer-executable component is preferably a processor but the instructions may alternatively or additionally be executed by any suitable dedicated hardware device.

As a person skilled in the art will recognize from the previous detailed description and from the figures and claims, modifications and changes can be made to the preferred embodiments of the invention without departing from the scope of this invention defined in the following claims. 

We claim:
 1. A method comprising: establishing, by a system bridge, a client subscription channel between the system bridge and a first client device; after establishing the client subscription channel, receiving, from an external application, a first incoming communication including a message directed to the first client device, the first incoming communication including a client identifier assigned to the first client device; transmitting the client identifier included in the first incoming communication to the first client device via the client subscription channel; receiving a second incoming communication from the first client device, the first client device having transmitted the second incoming communication to the system bridge in response to receiving the client identifier via the client subscription channel, second incoming communication including an incoming call initiated by the first client device in response to receiving the message from the external application; and initiating a communication session between the first client device and the external application by merging the second incoming communication that includes the incoming call received from the first client device with the first incoming communication that includes the message received from the external application.
 2. The method of claim 1, wherein transmitting the client identifier to the first client device via the client subscription channel comprises: posting the client identifier to the client subscription channel, thereby causing the client identifier to be received by a set of client devices that are subscribed to the client subscription channel.
 3. The method of claim 2, further comprising: subscribing a second client device to the client subscription channel, wherein the set of client devices that are subscribed to the client subscription channel includes the first client device and the second client device.
 4. The method of claim 3, further comprising: receiving, from a second external application, a third incoming communication directed to the second client device, the second incoming communication including a second client identifier assigned to the second client device; and posting the second client identifier to the client subscription channel.
 5. The method of claim of claim 4, further comprising: receiving a fourth incoming communication from the second client device, the second client device having transmitted the fourth incoming communication to the system bridge in response to receiving the second client identifier; and initiating a second communication session between the second client device and the second external application by merging the third incoming communication received from the second client device with the fourth incoming communication received from the second external application.
 6. The method of claim 1, further comprising: providing the client identifier to a policy engine; receiving an authentication token from the policy engine; and authenticating the first client device based on verification of the authentication token.
 7. The method of claim 1, further comprising: prior to transmitting the client identifier to the first client device via the client subscription channel, encrypting the client identifier with a key.
 8. A system bridge comprising: one or more computer processors; and one or more computer-readable mediums storing instructions that, when executed by the one or more computer processors, cause the system bridge to perform operations comprising: establishing, by a system bridge, a client subscription channel between the system bridge and a first client device; after establishing the client subscription channel, receiving, from an external application, a first incoming communication including a message directed to the first client device, the first incoming communication including a client identifier assigned to the first client device; transmitting the client identifier included in the first incoming communication to the first client device via the client subscription channel; receiving a second incoming communication from the first client device, the first client device having transmitted the second incoming communication to the system bridge in response to receiving the client identifier via the client subscription channel, second incoming communication including an incoming call initiated by the first client device in response to receiving the message from the external application; and initiating a communication session between the first client device and the external application by merging the second incoming communication that includes the incoming call received from the first client device with the first incoming communication that includes the message received from the external application.
 9. The system bridge of claim 8, wherein transmitting the client identifier to the first client device via the client subscription channel comprises: posting the client identifier to the client subscription channel, thereby causing the client identifier to be received by a set of client devices that are subscribed to the client subscription channel.
 10. The system bridge of claim 9, the operations further comprising: subscribing a second client device to the client subscription channel, wherein the set of client devices that are subscribed to the client subscription channel includes the first client device and the second client device.
 11. The system bridge of claim 10, the operations further comprising: receiving, from a second external application, a third incoming communication directed to the second client device, the second incoming communication including a second client identifier assigned to the second client device; and posting the second client identifier to the client subscription channel.
 12. The system bridge of claim of claim 11, the operations further comprising: receiving a fourth incoming communication from the second client device, the second client device having transmitted the fourth incoming communication to the system bridge in response to receiving the second client identifier; and initiating a second communication session between the second client device and the second external application by merging the third incoming communication received from the second client device with the fourth incoming communication received from the second external application.
 13. The system bridge of claim 8, the operations further comprising: providing the client identifier to a policy engine; receiving an authentication token from the policy engine; and authenticating the first client device based on verification of the authentication token.
 14. The system bridge of claim 8, the operations further comprising: prior to transmitting the client identifier to the first client device via the client subscription channel, encrypting the client identifier with a key.
 15. A non-transitory computer-readable medium storing instructions that, when executed by one or more computer processors of a system bridge, cause the system bridge to perform operations comprising: establishing, by a system bridge, a client subscription channel between the system bridge and a first client device; after establishing the client subscription channel, receiving, from an external application, a first incoming communication including a message directed to the first client device, the first incoming communication including a client identifier assigned to the first client device; transmitting the client identifier included in the first incoming communication to the first client device via the client subscription channel; receiving a second incoming communication from the first client device, the first client device having transmitted the second incoming communication to the system bridge in response to receiving the client identifier via the client subscription channel, second incoming communication including an incoming call initiated by the first client device in response to receiving the message from the external application; and initiating a communication session between the first client device and the external application by merging the second incoming communication that includes the incoming call received from the first client device with the first incoming communication that includes the message received from the external application.
 16. The non-transitory computer-readable medium of claim 15, wherein transmitting the client identifier to the first client device via the client subscription channel comprises: posting the client identifier to the client subscription channel, thereby causing the client identifier to be received by a set of client devices that are subscribed to the client subscription channel.
 17. The non-transitory computer-readable medium of claim 16, the operations further comprising: subscribing a second client device to the client subscription channel, wherein the set of client devices that are subscribed to the client subscription channel includes the first client device and the second client device.
 18. The non-transitory computer-readable medium of claim 17, the operations further comprising: receiving, from a second external application, a third incoming communication directed to the second client device, the second incoming communication including a second client identifier assigned to the second client device; and posting the second client identifier to the client subscription channel.
 19. The non-transitory computer-readable medium of claim of claim 18, the operations further comprising: receiving a fourth incoming communication from the second client device, the second client device having transmitted the fourth incoming communication to the system bridge in response to receiving the second client identifier; and initiating a second communication session between the second client device and the second external application by merging the third incoming communication received from the second client device with the fourth incoming communication received from the second external application.
 20. The non-transitory computer-readable medium of claim 15, the operations further comprising: providing the client identifier to a policy engine; receiving an authentication token from the policy engine; and authenticating the first client device based on verification of the authentication token. 